Slashdot Mirror
Your Privacy and Offshore Outsourcing
An anonymous reader sends in a link to this story about medical transcription work and patient privacy. You probably recall the original story (from around October 2003), but the Chronicle here does a great job of tracing the entire chain of sub-sub-sub-sub-sub-contracting.
I'd rather have some person in India or where ever know I've got some embarrassing disease than the gossippy old cow that lives over the road.
Engineering is the art of compromise.
Its *HIPAA* not, and I repeat, *NOT* HIPPA.
Sadly, this is a perfect example of a gaping loophole in the law. It doesn't apply to contractors outside the hospital, it only applies to the hospital.
"To those who are overly cautious, everything is impossible. "
From http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm
QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?
ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.
The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.
By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.
Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.
Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compe
http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm
QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?
ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.
The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.
By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.
Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.
Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compensation fr
When many doctors do their own transcription they use software with templates for common diagnosies. Pick the ailment and fill in the blanks. Offshore transcription runs about 12 cents/line. Domestic services runs about 17-20 cents/line but you get native english speakers and U.S. privacy laws (HIPAA).
If you didn't come to party don't bother knocking on my door. Prince '1999'
In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.
For instance, if a company here in Spain keeps customers data in a database, and the company wants to have that database hosted abroad (for example, for its website), in the USA, France, or any other country in the world, one person -with a name and a surname- of that company has to ask the Director of the Data Protection Agency for a written permission to do so.
Break Privacy Laws and you'll face a monetary penalty from $600 to $600000
My brother owns a dental office, part of being HIPPA compliant is getting anyplace you subcontract with to agree to the HIPPA privacy laws. I set up an offsite backup system for them but before they could upload any of their patient data they had to get the company to agree to their privacy statment.
--I swear, it was a case of isolated idiopathic hemibalissmus
Meditalk is the name of the software used for the dictation system. It's real time, so the doctor can check for errors while he talks. The buigest problem with it was the support contractor (Not Quincy Systems) who forged a singnature on a document.
Simon's Rock College
American Express outsources certain departments to India. There is a good chance your American Express info could be stolen by someone. From talking to people in the call centers over there it appears Bank of America is over there too.
HIPAA requires that all subcontractors are also HIPAA compliant. If the cheap foreign labor isn't, your doctor is liable. If your data gets published, sue your doctor's ass off. In the end, his insurance company will foot the bill. It won't be long before they figure out a solution that limits their exposure to liability.
People sound surprise that their data end up in some third world country facilities. To be honest, big companies have had terabytes of data stored in other countries for years. Usually it's the historical data beyond a 1 year full backup that ends up in some other countries.
Granted yes, it takes efforts to dig it up. But still, the data is theorectically outsourced.
Just pimping out our nice little Data Protection Act we've had in the UK for 16 years (i think its European too):
-You have the right to access any personal data any company/organisation holds on you, including the police (the police can be exempt in certain situations), government agencies, your school, shops etc and this can include video and internal memos about you and non-electronically stored data AFAIK
-You have the right to know who is holding what and what they intend to do with it
-It cant be taken outside the European Economic Area without your consent
-Security measures must be taken to ensure its safe
uhuh uhuh you know you want it yeah! come on! pah in-your-face like a can-of-mace!
This comment does not represent the views or opinions of the user.
I know many of you work in the heatlh care business, and take HIPPA pretty seriously. I work in it myself, although in a tangential relationship and don't have to abide by HIPPA due to the nature of my facility.
However, my wife works in the insurance business; specifically, she evaluates claims made against her company for legitimacy. She has the ability to draw upon resources that will tell her any individual's medical history, public and private; she can relatively easily flaunt the protections of HIPPA, although she can't reveal that she knows more about your medical condition than you do. She's not clear on how her resources can determine the things that they do, but it just shows the lie that to how much these protetctions provide.
--
$tar -xvf
Capital one has outsourced your credit card account customer service personnel to India. I called up with a question and hearing a distinctive accent I asked the young woman where she was located. To her credit she answered me honestly and I had no real problems with her. However I do feel that any information sent to outsourced personnel overseas should be subject to all US legal protections and the company should have to treat that data with the same responsibilities as if it was here in the USA.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Just because you are using a contractor does not absolve you of the responbility. A company that has a contractor do something illegal, as a representative of the company, is liable for the acts of that contractor. Using this story, The hopital could have been sued if patient records were placed on the internet and the hospital would have sued "Transcript Stat." Sonya Newburn herself might even be held personally responsible depending on the type of company she had and even then that might not protect her either. So even if the hospital did not do wrong and did not knew, the fact was that they are held responsible for the work done by the people that they used. You can contract responsibility away from yourself, only get someone else to do it for you and realize, "if they screw up I am going to be held for their fuck up."
In case people thought that NOTHING was being done abt the matter:s ourcing/story/0,10801,81698,00.htmlp ?liArticleID=122250&liFlavourID=1&sp=1: www.nasscom.org/download/CyberLaw.pdf+privacy&hl=e n&ie=UTF-8
http://www.computerworld.com/managementtopics/out
http://www.computerweekly.com/articles/article.as
http://216.239.51.104/custom?q=cache:aGXMuwaC72YJ
We just tried a computer transcription product from the largest medical transcription equipment company for a month, and let me tell you, it doesn't work. It was too hard to use, produced too many errors (95% accurate), and in the end still needed a transcriptionist to correct the errors. So why bother?
We ended up getting the portable digital transcription system (4 recorders, foot pedal, and software) from the same company. It was cheaper to pay the transcriptionist than the software, and we now have a 3 hour turnaround time on our transcription. Our doctors and refering physicians love it.
Personal data may be taken out of the EU/EEA only if without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. (EU Personal Data Directive 95/46/EC, Article 25). See here for whole Directive.
The United States is not a third country that the EU has determined to provide an adequate level of protection of personal data. However, if the individual companies or organizations in the US adhere to the Safe Harbor agreement, personal data may be transferred.
Unfortunately, it can ultimately be difficult to control that data once it gets to the US. A in Europe may determine that B in the US provides adequate protection via Safe Harbor. All is well, right? Not necessarily. What happens when B subcontracts to C, who subcontracts to D, who subcontracts to E, who subcontracts to F in country G where privacy laws don't exist? Yeah sure, there are rules, but if something were to happen, there would be more finger-pointing and "you weren't supposed to..." and the such, as opposed to taking on responsibility. But nonetheless, your personal data has been compromised. All the bickering in the world won't resolve that matter.
People say I'm crazy, I got diamonds on the soles of my shoes...